Your message dated Sun, 26 Nov 2023 12:28:03 +1100
with message-id <2351578.NZ3HXt0aWW@deblab>
and subject line Re: #1056736 smartmontools: please do not force people to use
update-smart-drivedb and install foreign code
has caused the Debian Bug report #1056736,
regarding smartmontools: please do not force people to use update-smart-drivedb
and install foreign code
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056736
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: smartmontools
Version: 7.4-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <[email protected]>
Hey.
The most recent upgrade forces people to use
update-smart-drivedb by doing it already in the postinst and not leaving it
up to the user whether he wants to use such a tool.
Security-wise this is really a bad idea.
Downloader packages (i.e. packages that install further code from
outside Debian) - and this effectively just that - are generally questionable.
Even if the downloader tool does everything right (which is actually quite
difficult if one assumes things like replay or blocking attacks), there's still
code introduced which is not in the control of Debian and especially also
outside security support.
Now you may argue that Debian doesn't audit the drivedb.h it ships either and
that thus security wouldn't be any better if Debian would just ship the
upstream file.
But there's still a difference:
If Debian ships the package, then all installations are guaranteed to get the
same file. So an attacker would need to attack all installation at the same
time and thus be far more likely to be detected.
If however the package is downloaded from some remote server, an attacker can
choose based on IP whether the "good" or the "evil" file is delivered.
And this is not to say that I'd assume smartmontools upstream would be evil.
But even their GPG keys or systemd can be compromised.
The package already has the update-smart-drivedb tool, if people are confident
with using it, they can do so.
But please don't force it on everyone by unconditionally calling it from
postinst (or from anywhere else).
Cheers,
Chris.
--- End Message ---
--- Begin Message ---
Closing misunderstood bug report, as advised by Paul Wise.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
--
Cheers,
Dmitry Smirnov
GPG key : 4096R/52B6BBD953968D1B
---
To predict the behavior of ordinary people in advance, you only have to
assume that they will always try to escape a disagreeable situation with
the smallest possible expenditure of intelligence.
-- Friedrich Nietzsche
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
